Attribute-based Authorizationfor Science Gateways

Using GridShib

Tom Scavotrscavo@ncsa.uiuc.edu

National Center for Supercomputing Applications

University of Illinois at Urbana-Champaign

May 14, 2008

Overview

�GridShib Project Update

� GridShib SAML Tools

� GridShib for Globus Toolkit

�The TeraGrid Science Gateway Use Case

� Community Account Model

� Grid Authorization Model for Science Gateways

� TeraGrid Deployment Strategy

� Federated Identity Model for Science Gateways

Acknowledgments

�Original Project PIs� Von Welch, Tom Barton, Kate Keahey, Frank Siebenlist

�Developers� Rachana Ananthakrishnan, Jim Basney, Tim Freeman,

Raj Kettimuthu, Terry Fleury, Tom Scavo

� The GridShib work was funded by the NSF National Middleware Initiative (NMI awards 0438424 and 0438385). Opinions and recommendations in this paper are those of the authors and do not necessarily reflect the views of NSF.

� The Science Gateway integration work is funded by the NSF TeraGrid Grid Integration Group through a sub-award to NCSA.

GridShib Project Update

History of GridShib

Dec 2004

Aug 2006

Apr 2008

Nonbrowser user;

Attribute pull

Browser user;

Attribute pushTeraGrid Science Gateway

Use Case

Classic GridShib

TeraGrid Authentication, Authorization and

Account Management Workshop (ANL)

GridShib Software

� GridShib for GT

� Consumes X.509-bound SAML assertions issued by the GridShib CA or the GridShib SAML Tools. Issues SAML attribute queries to a Shibboleth IdP with GridShib for Shibboleth installed.

� GridShib for Shibboleth

� Responds to attribute queries from GridShib for GT.

� GridShib CA

� Issues short-lived X.509 credentials to browser users.

� GridShib SAML Tools

� Issue or requests SAML assertions and optionally binds these assertions to X.509 proxy certificates.

Shib-enabled

Gateway

GT4 client +

GS-ST

Shib IdPShib AA +

GS4Shib

Shib-enabled

GS-CA

GT4 client +

GS-ST

GT4 + GS4GT

Browser

SAML

request

X.509

proxy

certificate

SAML

X.509end entity

credential Key

X.509

proxy

credential

SAML

Key

SAML

assertion

X.509

proxy

certificate

SAML

SAML

assertion

SAMLassertion

SAML

request

SAML

assertion

X.509certificate

SAML

response

response response

SAML

X.509proxy

credential

SAML

Key

D

C

E

B

A

Deployment Scenarios

http://gridshib.globus.org/docs/gridshib/deploy-scenarios.html

Recent Releases

�GridShib for Globus Toolkit v0.6.0

� Released April 30, 2008

�GridShib SAML Tools v0.3.2

� Released March 20, 2008

� http://gridshib.globus.org/download.html

GridShib SAML Tools

�The GridShib SAML Tools (GS-ST) are a

standalone suite of Java-based client tools

� Binds a SAML assertion to an X.509 proxy certificate

� The same X.509-bound SAML token can be transmitted at the transport level or the message level

(using WS-Security X.509 Token Profile)

� Includes the GridShib Security Framework, an

API for producing and consuming X.509-bound

SAML tokens

�GS-ST is a SAML producer

GS-ST Features

�Easily installed and configured

�Binds arbitrary content (e.g., SAML) to a non-

critical certificate extension

�Multiple output options (SAML, X.509 proxy

credential, DER-encoded ASN.1)

�CLI with shell scripts (UNIX and Windows)

� Includes a Java API for portal developers

� Leverages the Globus SAML Library, an

enhanced version of OpenSAML 1.1

X.509-bound SAML Token

� GridShib SAML Tools produces X.509-bound

SAML tokens, a new type

of security token that enables attributed-based

authorization in X.509-based Grids

� The SAML token is bound to a noncritical X.509v3

certificate extension

X.509 CertificateIssuer: issuer DNSubject: subject DN

X509v3 extension:

1.3.6.1.4.1.3536.1.1.1.12:

SAMLassertion

Security Tokens

X.509 Token SAML Token

X.509-boundSAML Token

SOAP Envelope

SOAP Header

SAMLassertion

SOAP Body

SOAP Envelope

SOAP Header

X.509 certificate

SAMLassertion

SOAP Body

SOAP Envelope

SOAP Header

X.509 certificate

SOAP Body

GridShib for GT

�GridShib for GT (GS4GT) is a plug-in for GT 4.x

� GS4GT is compatible with both GT 4.0 and 4.2

�GS4GT is an implementation of a Grid Service

Provider (analogous to a Shibboleth Service

Provider)

�GS4GT is a SAML consumer

GS4GT Features

� Introduces attribute-based authorization into GT

�Exposes a single comprehensive policy decision point called the GridShibPDP

� Implements an attribute push model

�Restricts access based on blacklists of IP

addresses and/or name identifiers

�Provides attribute-based account mapping

�Supports optional gridmap short-circuiting

�Defines an attribute-based authorization policy

language (in XML)

GT4.0/4.2 Compatibility

�GS4GT adds a layer of abstraction that permits

both GT4.0 and GT4.2 to be supported

simultaneously

GS4GT PIP/PDP Implementations

GT4.0

PIP/PDP Implementations

GT4.2

PIP/PDP Implementations

GridShib Attribute Push

� In GT4.0 (deny-overrides), this works because

the PDP is at the end of the chain

� In GT4.2 (permit-overrides), this authz chain

does not honor SAMLBlacklistPDP

PushPIP BlacklistPDPAAPIP MapPIP SAMLPDP

Deny Deny

Permit

Indeterminate

GridShibPDP

Deny

Permit

Indeterminate

Complex Authz Policy

PushPIP BlacklistPDPAAPIP MapPIP

SAMLPDP

Deny

Permit

PermitPDP

MapPIP

SAMLPDPSAMLPDP

DenyDenyDeny

Gridmap File

� Flat file format:

DN → [user0, user1, …, usern-1]

� Dual function identity-based gridmap file:

1. Authorization Policy

2. Username Mapping Policy

� A single gridmap file serves both functions

DN1 username1

DN2 username2

…

DN1 username1

DN2 username2

…

<XML><XML>

Globus

Gridmap file

GridShib

Authz Policy

GridShib

Mapping Policy

GridShib Policy Files

� Two separate attribute-based policy files:

1. Authorization Policy

[A0, A1, …, Am-1]

2. Username Mapping Policy

[A0, A1, …, Am1-1] → [user0, user1, …, usern1-1]

[A0, A1, …, Am2-1] → [user0, user1, …, usern2-1] …

� A single XML-based policy file may encapsulate

both types of policies

The TeraGrid Science GatewayUse Case

Science Gateway

Web

Authn

Resource ProviderScience Gateway

WS GRAM Client

WS GRAM Client

WS GRAM ServiceWS GRAM Service

proxy credential

proxy certificate

Key

Java WS Container

WebappWebapp

Web Interface

Web Browser

communitycredential

Key

community account

Community Account Model

�A community credential is issued to each

gateway

�The gateway issues proxy certificates (on-the-

fly) and makes grid requests on behalf of the

user

�This community account model is easy to

implement but has some significant drawbacks

�All requests look exactly the same to the

resource provider

Grid Authorization Model

� The proposed model incorporates GridShib

SAML Tools at the gateway and GridShib for

GT at the resource provider

� Using GridShib SAML Tools, the gateway

1. issues a SAML assertion containing the user's authentication context and attributes

2. binds the SAML assertion to a proxy certificate signed by the community credential

3. authenticates to the resource by presenting the

SAML-laden proxy certificate

http://gridfarm007.ucs.indiana.edu/gce07/images/e/e4/Scavo.pdf

GridShib-enabled Gateway

Web

Authn

Resource ProviderScience Gateway

WS GRAM Client

WS GRAM Client

GridShibSAML PIP

GridShibSAML PIP

proxy

certificate

GridShib SAML Tools

GridShib SAML Tools

community

credentialKey

SAML

WS GRAM Service

WS GRAM Service

PolicyLogs

Java WS Container(with GridShib for GT)

Security

Context

WebappWebappattributes

Web Interface

Web Browser

username

proxy

credential

SAML

Key

User Attributes

� Gateway entityID:

� https://gridshib.gisolve.org/idp

� Subject name identifier:� trscavo@gisolve.org

� Authentication statement

� authentication method: urn:oasis:names:tc:SAML:1.0:am:password

� authentication instant: 2007-08-02T12:10:34-0400

� IP address: 10.81.193.244

� Attribute statement� isMemberOf attribute: group://gisolve.org/gisolve

� mail attribute: trscavo@gmail.com

Current Work

Resource Provider

GridShibSAML PIP

GridShibSAML PIP

WS GRAM Service

WS GRAM Service

PolicyLogs

Java WS Container(with GridShib for GT)

Security

Context

Security table

GRAM audit table

TGCDB

TeraGrid Deployment Strategy

1. GridShib SAML Tools at the Gateway• http://www.teragridforum.org/mediawiki/index.php?title=Scienc

e_Gateway_Credential_with_Attributes

2. GridShib for GT at the RP

• Integrate GS4GT into CTSS4

3. Evaluate Shibboleth as a browser-facing

federated identity solution

• Planned Shib work at the TG user portal

• For the most part, Shibboleth has not yet entered the TeraGrid consciousness

Shib-enabled

Grid Portal

GridShib-enabled

Grid Client

Shibboleth

SSO Service

GridShib-enabled

Attribute Service

GridShib-enabled Grid SP

Browser

X.509proxy

credential

SAML

Key

X.509proxy

certificate

SAML

response response

C

DA

B

X.509

end entity credential Key

SAMLRequest

X.509

Shibboleth Identity Provider

TeraGrid Science Gateway

SAMLRequest

SAML

Assertion

SAML

Assertion

SAML

Assertion

Federated Identity Model

Thank you!

Tom Scavo

trscavo@ncsa.uiuc.edu

GridShib

http://gridshib.globus.org/